Manual Chapter :
Applying a Pre-built Cipher String for SSL Negotiation
Applies To:
Show Versions
BIG-IP AAM
- 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP APM
- 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP Analytics
- 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP Link Controller
- 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP LTM
- 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP PEM
- 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP AFM
- 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP DNS
- 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP ASM
- 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
Applying a Pre-built Cipher String for SSL Negotiation
Overview: Using a pre-built cipher
string
Before the
BIG-IP system can process SSL traffic, you'll need to define the cipher string
you want the system to use when negotiating security settings with client or server systems.
Typing a raw cipher string on the system is tedious and can easily contain typos. It can also be
unsecure, since the cipher string could inadvertently cause the system to negotiate in a way that
you didn't intend.
To solve these problems, you can use a pre-built cipher string, known as a cipher group. A
pre-built cipher group
is a named set of cipher suites (known
as a cipher rule
) and a set of instructions that the system uses to create the final
cipher string for SSL negotiation.All pre-built cipher groups are available on the BIG-IP system, and you can assign any one of these cipher groups to a
Client SSL or Server SSL profile. They are:
- /Common/f5-default
- /Common/f5-aes
- /Common/f5-ecc
- /Common/f5-hw_keys
- /Common/f5-secure
For example, this illustration shows the pre-built cipher group named
/Common/f5-ecc
. This cipher group contains the cipher rule of
the same name (/Common/f5-ecc
), which contains the cipher string
ECDHE:ECDHE_ECDSA
(not shown). The cipher group is configured to allow the contents of the cipher rule into the final cipher string. You can see a preview of the resulting
cipher string in the Cipher Audit area of the screen: 
About BIG-IP cipher
support
The BIG-IP system includes a default cipher string named DEFAULT, which contains a subset of the cipher suites that the BIG-IP system supports.
The full set of cipher suites that the BIG-IP system supports are contained in the NATIVE cipher string. The cipher suites contained in both the DEFAULT and NATIVE cipher string are eligible for hardware acceleration.
The BIG-IP system supports a large set of cryptographic parameters that you can use to modify how the BIG-IP manages SSL/TLS connections.
For TLS 1.2 and TLS 1.3, you can configure all or some of the cryptographic
parameters:
- Ciphersuites.
- Key exchange algorithms, for example RSA, DH, or ECDHE.
- Signature algorithms, for example RSA or ECDSA.
- Encryption primitives, for example AES128 or CAMELLIA.
- Hash algorithms, for example SHA256.
- Message authentication codes, for example HMAC-SHA256 or HMAC-SHA384.
Task summary for configuring a pre-built
cipher string
There are a few tasks you need to perform to configure a pre-built cipher string that the system will use for SSL negotiation.
This illustration shows the order that you need to perform these tasks in.
Confirm the ability
to use a pre-built cipher group
Before you configure a cipher string for the BIG-IP system to use
in SSL negotiations with client or server systems, you need to determine whether you
can use a pre-built cipher group or whether you'll need to create a custom cipher
group. You do this by viewing each pre-built cipher group on the system..
- On the Main tab, click .The screen displays a list of pre-built cipher groups.
- In the Name column, click the name of a cipher group.For example, click/Common/f5-ecc.
- In theAvailable Cipher Ruleslist, find the corresponding cipher rule and click the plus sign to view the cipher suites included in the rule.For example, this shows the cipher suites included in the pre-built cipher rule named/Common/f5-ecc.
- Click Cancel.
- As an option, you can repeat this task for any other pre-built cipher groups.
After doing this task, if you found no pre-built cipher group containing all of the
cipher suites you need for your cipher string, you'll need to create your own custom
cipher group instead.
Specify a cipher
group within an SSL traffic filter
Before starting this task, make sure that the
relevant traffic filter for managing SSL traffic (either a Client SSL or Server SSL
profile) exists on the BIG-IP system.
You specify the cipher string that the BIG-IP system uses to
negotiate security settings with a client or server system, by assigning a cipher
group to a Client SSL or Server SSL profile.
- On the Main tab, click or .The Client SSL or Server SSL profile list screen opens.
- Click the name of a profile.
- From theConfigurationlist, selectAdvanced.
- On the right side of the screen, select theCustomcheck box.
- For theCipherssetting, clickCipher Groupand from the list, select a cipher group.
- ClickUpdate.
Activate a cipher
string for an application flow
Before starting this task, make sure that the
virtual server for the relevant SSL application flow exists on the BIG-IP
system.
You activate a cipher string for a specific
application flow by assigning a Client SSL or Server SSL profile (or both) to a virtual
server. This causes the BIG-IP system to use the cipher group specified in the profile
to build the cipher string for negotiating security settings for SSL
connections.
- On the Main tab, click .The Virtual Server List screen opens.
- Click the name of a virtual server.
- From theConfigurationlist, selectAdvanced.
- For theSSL Profile (Client)and theSSL Profile (Server)settings, from theAvailablelist, select the name of the SSL profile you previously created, and move the name to theSelectedlist:
Using theSSL Profile (Server)setting is optional. - ClickUpdateto save the changes.
The BIG-IP system now uses the cipher group specified in an SSL profile to build a
cipher string to use when negotiating security for the relevant application
flow.
